TLS certificate question about Unbound 1.9.2

Thu Apr 4 17:44:37 UTC 2019

04.04.2019 23:35, rollingonchrome via Unbound-users пишет:
> Hi Wouter,
>
> Thank you for taking a look at my config file.
>
> Sorry for any confusion. I am running Unbound 1.9.1. That should
> support the tls-cert-bundle option, correct?
>
> I had initially tried my config file with 1.9.2, but at Yuri's
> suggestion, I downgraded to the latest stable version, 1.9.1.
>
> The tls-cert-bundle option did not work with either 1.9.2 or 1.9.1.
>
> I am running Unbound compiled from source on a Raspberry Pi (Raspbian
> Jessie).
>
> I now think the problem may be in the OpenSSL version on Raspbian,
> which only supports TLS 1.2.
Assume that it is. However, as I know, support for TLS is a function of
the openssl library. Who prevents to build the version with the
necessary protocol (for example, openssl 1.0.2o) and re-build Unbound
with it?
>
> Thank you for your help.
>
> Best,
>
> RoC
> *
> *
> *Wouter Wijngaards* wouter at nlnetlabs.nl 
> <mailto:unbound-users%40nlnetlabs.nl?Subject=Re%3A%20TLS%20certificate%20question%20about%20Unbound%201.9.2&In-Reply-To=%3Caf5612a5-9698-4e0e-19d7-722013bcb885%40nlnetlabs.nl%3E>
> /Thu Apr 4 09:04:46 CEST 2019/
> Hi,
>
> So this config file is fine, the tls-cert-bundle should work find with a
> version of unbound that supports the options (eg. 1.9.2).  Like, for me,
> it works.  I guess you downgraded and are now using an older version
> that does not support the tls-cert-bundle option, so the unknown keyword
> error is accurate?
>
> Best regards, Wouter
>
> On 4/3/19 7:52 PM, rollingonchrome via Unbound-users wrote:
> >/Hello, />//>/Thank you for the replies. I believe I have the tls-cert-bundle />/information correctly indented now. But, I am still getting the same />/errors as before about unknown keywords and strays. />//>/It is indented like this: />//>/server: />/      />/      [a few lines omitted] />/      />/     #Added for DoT />/     tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" />//>/Here is a link to my actual conf file if anyone would be willing to take />/a look:  />/https://send.firefox.com/download/83192a35d41caf47/#G4NxNtajpM1KmZgLI-boBg
> />//>/I've read that OpenSSL on Jessie doesn't support any TLS except 1.2, so />/I'm wondering if that might be this issue. Not sure what version of TLS />/Unbound 1.9.1 uses (I downgraded). />//>/Thank you for your help. />//>/Best, />//>/RoC/
>
-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190404/1ff38cad/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190404/1ff38cad/attachment.bin>